670 likes | 808 Vues
Information Security -- Part II Public-Key Encryption and Hash Functions. Frank Yeong-Sung Lin Information Management Department National Taiwan University. Principles of Public-Key Cryptosystems. Principles of Public-Key Cryptosystems (cont’d). Requirements for PKC
 
                
                E N D
Information Security -- Part IIPublic-Key Encryption and Hash Functions Frank Yeong-Sung Lin Information Management Department National Taiwan University
Principles of Public-Key Cryptosystems Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) • Requirements for PKC • easy for B (receiver) to generate KUb and KRb • easy for A (sender) to calculate C = EKUb(M) • easy for B to calculate M = DKRb(C) = DKRb(EKUb(M)) • infeasible for an opponent to calculate KRb from KUb • infeasible for an opponent to calculate M from Cand KUb • (useful but not necessary) M = DKRb(EKUb(M)) = EKUb(DKRb(M)) (true for RSA and good for authentication) Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) • The idea of PKC was first proposed by Diffie and Hellman in 1976. • Two keys (public and private) are needed. • The difficulty of calculating f-1 is typically facilitated by • factorization of large numbers • resolution of NP-completeness • calculation of discrete logarithms • High complexity confines PKC to key management and signature applications Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) • Comparison between conventional and public-key encryption Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) • Applications for PKC • encryption/decryption • digital signature • key exchange Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) Information Security -- Public-Key Cryptography
Principles of Public-Key Cryptosystems (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm • Developed by Rivest, Shamir, and Adleman at MIT in 1978 • First well accepted and widely adopted PKC algorithm • Security based on the difficulty of factoring large numbers • Patent expired in 2001 Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) * *互質,又稱互素。若 N 個整數的最大公因數是1,則稱這 N 個整數互質。 Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Primes under 2000 Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • The above statement is referred to as the prime number theorem, which was proven in 1896 by Hadaward and Poussin. Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • Whether there exists a simple formula to generate prime numbers? • An ancient Chinese mathematician conjectured that if n divides 2n - 2 then n is prime. For n = 3, 3 divides 6 and n is prime. However, for n = 341 = 11  31, n dives 2341 - 2. • Mersenne suggested that if p is prime then Mp = 2p - 1 is prime. This type of primes are referred to as Mersenne primes*. Unfortunately, for p = 11, M11 = 211 -1 = 2047 = 23  89. Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) *In mathematics, a Mersenne number is a positive integer that is one less than a power of two: Mn = 2n – 1. Some definitions of Mersenne numbers require that the exponent n be prime. A Mersenne prime is a Mersenne number that is prime. As of September 2008, only 46 Mersenne primes are known; the largest known prime number (243,112,609 − 1) is a Mersenne prime, and in modern times, the largest known prime has almost always been a Mersenne prime. Like several previously-discovered Mersenne primes, it was discovered by a distributed computing project on the Internet, known as the Great Internet Mersenne Prime Search (GIMPS). It was the first known prime number with more than 10 million digits. Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • Fermat conjectured that if Fn = 22n + 1, where n is a non-negative integer, then Fn is prime. When n is less than or equal to 4, F0 = 3, F1 = 5, F2 = 17, F3 = 257 and F4 = 65537 are all primes. However, F5 = 4294967297 = 641  6700417 is not a prime number. • n2 - 79n + 1601 is valid only for n < 80. • There are an infinite number of primes of the form 4n + 1 or 4n + 3. • There is no simple way so far to gererate prime numbers. Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • Prime gap: displacement between two consecutive prime numbers • 0 the smallest • unbounded from above • n!+2 (devisable by 2), n!+3 (devisable by 3, n!+4 (devisable by 4),…, n!+n (devisable by n)are not prime Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • Format’s Little Theorem (to be proven later): If p is prime and a is a positive integer not divisible by p, then a p-1 1 mod p. Example: a = 7, p = 19 72 = 49  11 mod 19 74 = 121  7 mod 19 78 = 49  11 mod 19 716 = 121  7 mod 19 a p-1 = 718 = 716+2 711  1 mod 19 Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • A = M+ip for a non-negative integer i. • A = M+jq for a non-negative integer j. • From the above two equations, ip = jq. • Then, i = kq. • Consequently, A = M+ip = M+kpq. Q.E.D. (quod erat demonstrandum) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • Example 1 • Select two prime numbers, p = 7 and q = 17. • Calculate n = p  q = 717 = 119. • Calculate Φ(n) = (p-1)(q-1) = 96. • Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case, e = 5. • Determine d such that d  e  1 mod 96 and d < 96.The correct value is d = 77, because 775 = 385 = 496+1. Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • Key generation • determining two large prime numbers, p and q • selecting either e or d and calculating the other • Probabilistic algorithm to generate primes • [1] Pick an odd integer n at random. • [2] Pick an integer a < n (a is clearly not divisible by n) at random. • [3] Perform the probabilistic primality test, such as Miller-Rabin. If n fails the test, reject the value n and go to [1]. • [4] If n has passed a sufficient number of tests, accept n; otherwise, go to [2]. Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • How may trials on the average are required to find a prime? • from the prime number theory, primes near n are spaced on the average one every (ln n) integers • even numbers can be immediately rejected • for a prime on the order of 2200, about (ln 2200)/2 = 70 trials are required • To calculate e, what is the probability that a random number is relatively prime to Φ(n)? About 0.6. Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • For fixed length keys, how many primes can be chosen? • for 64-bit keys, 264/ln 264 - 263/ln 263  2.05 1017 • for 128- and 256-bit keys, 1.9 1036 and 3.25 1074, respectively, are available • For fixed length keys, what is the probability that a randomly selected odd number a is prime? • for 64-bit keys, 2.05 1017/(0.5 (264 - 263))  0.044 (expectation value: 1/0.044  23) • for 128- and 256-bit keys, 0.022and 0.011, respectively Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • The security of RSA • brute force: This involves trying all possible private keys. • mathematical attacks: There are several approaches, all equivalent in effect to factoring the product of two primes. • timing attacks: These depend on the running time of the decryption algorithm. Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • To avoid brute force attacks, a large key space is required. • To make n difficult to factor • p and q should differ in length by only a few digits (both in the range of 1075 to 10100) • both (p-1) and (q-1) should contain a large prime factor • gcd(p-1,q-1) should be small • should avoid e << n and d < n1/4 Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • To make n difficult to factor (cont’d) • p and q should best be strong primes, where p isa strong prime if • there exist two large primes p1 and p2 such that p1|p-1 and p2|p+1 • there exist four large primes r1, s1, r2 and s2 such that r1|p1-1, s1|p1+1, r2|p2-1 and s2|p2+1 • e should not be too small, e.g. for e = 3 and C = M3 mod n, if M3 < n then M can be easily calculated Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) • Major threats • the continuing increase in computing power (100 or even 1000 MIPS machines are easily available) • continuing refinement of factoring algorithms (from QS to GNFS and to SNFS) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
The RSA Algorithm (cont’d) Information Security -- Public-Key Cryptography
Key Management • The distribution of public keys • public announcement • publicly available directory • public-key authority • public-key certificates • The use of public-key encryption to distribute secret keys • simple secret key distribution • secret key distribution with confidentiality and authentication Information Security -- Public-Key Cryptography
Key Management (cont’d) • Public announcement Information Security -- Public-Key Cryptography
Key Management (cont’d) • Public announcement (cont’d) • advantages: convenience • disadvantages: forgery of such a public announcement by anyone Information Security -- Public-Key Cryptography
Key Management (cont’d) • Publicly available directory Information Security -- Public-Key Cryptography
Key Management (cont’d) • Publicly available directory (cont’d) • elements of the scheme • {name, public key} entry for each participant in the directory • in-person or secure registration • on-demand entry update • periodic publication of the directory • availability of secure electronic access from the directory to participants • advantages: greater degree of security Information Security -- Public-Key Cryptography
Key Management (cont’d) • Publicly available directory (cont’d) • disadvantages • need of a trusted entity or organization • need of additional security mechanism from the directory authority to participants • vulnerability of the private key of the directory authority (global-scaled disaster if the private key of the directory authority is compromised) • vulnerability of the directory records Information Security -- Public-Key Cryptography
Key Management (cont’d) • Public-key authority Information Security -- Public-Key Cryptography